<!DOCTYPE html>
<html lang="en">
  <head>
    <link rel="stylesheet" type="text/css" href="/css/style.css?v=3" />
    <link rel="stylesheet" type="text/css" href="/css/fontello.css?v=2" />
    <link rel="stylesheet" type="text/css" href="/css/themes/nitter.css" />
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
    <link rel="manifest" href="/site.webmanifest" />
    <link rel="mask-icon" href="/safari-pinned-tab.svg" color="#ff6c60" />
    <link rel="search" type="application/opensearchdescription+xml" title="nitter" href="https://nitter.net/opensearch" />
    <title>bk (Ben Koehl) (@bkMSFT): &quot;Today @ANSSI_FR released a report on intrusions in France. These intrusions are linked to ZIRCONIUM&#x2F;APT31 per their reporting.

https:&#x2F;&#x2F;www.cert.ssi.gouv.fr&#x2F;ioc&#x2F;CERTFR-2021-IOC-003&#x2F;

Indicators: http:&#x2F;&#x2F;www.cert.ssi.gouv.fr&#x2F;uploads&#x2F;CERTFR-2021-IOC-003-IOC.json&quot; | nitter</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta property="og:type" content="article" />
    <meta property="og:title" content="bk (Ben Koehl) (@bkMSFT)" />
    <meta property="og:description" content="Today @ANSSI_FR released a report on intrusions in France. These intrusions are linked to ZIRCONIUM/APT31 per their reporting.

https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/

Indicators: http://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-IOC-003-IOC.json" />
    <meta property="og:site_name" content="Nitter" />
    <meta property="og:locale" content="en_US" />
    <link rel="preload" type="font/woff2" as="font" href="/fonts/fontello.woff2?21002321" crossorigin="anonymous" />
  </head>
  <body>
    <nav><div class="inner-nav">
        <div class="nav-item"><a class="site-name" href="/">nitter</a></div>
        <a href="/"><img class="site-logo" src="/logo.png" /></a>
        <div class="nav-item right">
          <div class="icon-container"><a class="icon-search" title="Search" href="/search"></a></div>
          <div class="icon-container"><a class="icon-bird" title="Open in Twitter" href="https://twitter.com/bkMSFT/status/1417823714922610689"></a></div>
          <a href="https://liberapay.com/zedeus"><svg class="lp" viewBox="0 0 40.6 52.3">
  <g transform="matrix(0.83,0,0,0.83,-158,-261)">
    <path d="m202.5,366c-3.1 0-5.5-0.4-7.3-1.2-1.8-0.8-3-1.9-3.8-3.3-0.8-1.4-1.1-3-1.1-4.8 0-1.8 0.3-3.7 0.8-5.8l8.3-34.8 10.2-1.6-9.1 37.8c-0.2 0.8-0.3 1.5-0.3 2.2 0 0.7 0.1 1.2 0.4 1.7 0.3 0.5 0.7 0.9 1.3 1.2 0.6 0.3 1.5 0.5 2.7 0.6l-2 8.1"/>
    <path d="m239.2 344.3c0 3.2-0.5 6.1-1.6 8.8-1 2.6-2.5 4.9-4.4 6.9-1.9 1.9-4.1 3.4-6.7 4.5-2.6 1.1-5.4 1.6-8.5 1.6-1.5 0-3-0.1-4.5-0.4l-3 11.9h-9.7l10.9-45.4c1.7-0.5 3.7-1 6-1.4 2.3-0.4 4.7-0.6 7.3-0.6 2.4 0 4.6 0.4 6.3 1.1 1.8 0.7 3.2 1.8 4.4 3 1.1 1.3 2 2.8 2.5 4.5 0.5 1.7 0.8 3.6 0.8 5.5m-23.8 13.4c0.7 0.2 1.7 0.3 2.8 0.3 1.7 0 3.3-0.3 4.7-1 1.4-0.6 2.6-1.5 3.6-2.7 1-1.1 1.7-2.5 2.3-4.1 0.5-1.6 0.8-3.4 0.8-5.3 0-1.9-0.4-3.5-1.2-4.8-0.8-1.3-2.3-2-4.3-2-1.4 0-2.7 0.1-3.9 0.4l-4.6 19.1"/>
  </g>
</svg>
</a>
          <div class="icon-container"><a class="icon-info" title="About" href="/about"></a></div>
          <form class="icon-button" method="get" action="/settings">
            <input name="referer" value="/bkMSFT/status/1417823714922610689#m" style="display: none; " />
            <button type="submit"><div class="icon-container"><span class="icon-cog" title="Preferences"></span></div></button>
          </form>
        </div>
      </div></nav>
    <div class="container"><div class="conversation">
        <div class="main-thread">
          <div id="m" class="main-tweet"><div class="timeline-item thread thread-line"><div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/bkMSFT"><img class="avatar" src="/pic/profile_images%2F972493023635558401%2FTDJ9xci1_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/bkMSFT" title="bk (Ben Koehl)">bk (Ben Koehl)</a>
                        <a class="username" href="/bkMSFT" title="@bkMSFT">@bkMSFT</a>
                      </div>
                      <span class="tweet-date"><a href="/bkMSFT/status/1417823714922610689#m" title="21/7/2021, 12:28:10">Jul 21</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Today <a href="/ANSSI_FR" title="ANSSI">@ANSSI_FR</a> released a report on intrusions in France. These intrusions are linked to ZIRCONIUM/APT31 per their reporting.

<a href="https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/">cert.ssi.gouv.fr/ioc/CERTFR-…</a>

Indicators: <a href="http://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-IOC-003-IOC.json">cert.ssi.gouv.fr/uploads/CER…</a></div>
                <p class="tweet-published">12:28 PM · Jul 21, 2021</p>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 32</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 4</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 81</div></span>
                </div>
              </div></div></div>
          <div class="after-tweet thread-line">
            <div class="timeline-item ">
              <a class="tweet-link" href="/bkMSFT/status/1417823934767116291#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/bkMSFT"><img class="avatar" src="/pic/profile_images%2F972493023635558401%2FTDJ9xci1_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/bkMSFT" title="bk (Ben Koehl)">bk (Ben Koehl)</a>
                        <a class="username" href="/bkMSFT" title="@bkMSFT">@bkMSFT</a>
                      </div>
                      <span class="tweet-date"><a href="/bkMSFT/status/1417823934767116291#m" title="21/7/2021, 12:29:02">Jul 21</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">"Investigations show that this operating mode compromises routers to use them as anonymization relays, prior to carrying out reconnaissance and attack actions."</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 3</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 8</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/bkMSFT/status/1417824175679545345#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/bkMSFT"><img class="avatar" src="/pic/profile_images%2F972493023635558401%2FTDJ9xci1_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/bkMSFT" title="bk (Ben Koehl)">bk (Ben Koehl)</a>
                        <a class="username" href="/bkMSFT" title="@bkMSFT">@bkMSFT</a>
                      </div>
                      <span class="tweet-date"><a href="/bkMSFT/status/1417824175679545345#m" title="21/7/2021, 12:30:00">Jul 21</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">ZIRCONIUM appears to operate numerous router networks to facilitate these actions. They are layered together and strategically used. If investigating these IP addresses they should be used mostly as source ip's but on occasion they are pointing implant traffic into the network.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 2</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 3</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 10</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/bkMSFT/status/1417827552224235522#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/bkMSFT"><img class="avatar" src="/pic/profile_images%2F972493023635558401%2FTDJ9xci1_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/bkMSFT" title="bk (Ben Koehl)">bk (Ben Koehl)</a>
                        <a class="username" href="/bkMSFT" title="@bkMSFT">@bkMSFT</a>
                      </div>
                      <span class="tweet-date"><a href="/bkMSFT/status/1417827552224235522#m" title="21/7/2021, 12:43:25">Jul 21</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Historically they did the classic I have a dnsname -&gt; ip approach for C2 communications. They've since moved that traffic into the router network. This allows them flexibility to manipulate the traffic destination at several layers while slowing the efforts of pursuit elements.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 3</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 10</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item thread-last ">
              <a class="tweet-link" href="/bkMSFT/status/1417827820454170624#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/bkMSFT"><img class="avatar" src="/pic/profile_images%2F972493023635558401%2FTDJ9xci1_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/bkMSFT" title="bk (Ben Koehl)">bk (Ben Koehl)</a>
                        <a class="username" href="/bkMSFT" title="@bkMSFT">@bkMSFT</a>
                      </div>
                      <span class="tweet-date"><a href="/bkMSFT/status/1417827820454170624#m" title="21/7/2021, 12:44:29">Jul 21</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">On the other side they are able to exit in the countries of their targets to _somewhat_ evade basic detection techniques.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 8</div></span>
                </div>
              </div>
            </div>
          </div>
        </div>
        <div class="top-ref"><div class="icon-container"><a class="icon-down" title="" href="#m"></a></div></div>
      </div></div>
  </body>
</html>